23 July 2018

Risk assessments for GDPR compliance

When
I was studying for CISA
and CISM
certifications, I read a lot about Business
Impact Analysis and the Risk
Management Process. That
was cool because Ariadnex was ISO 27001 compliance and I had to help
them to be ready compliance with this kind of processes. Today, we
have also to be
GDPR compliance where all EU citizens have
cyber
rights from the new GDPR. This is a
good opportunity for reinforce my knowledge about risk assessments
because it is essential for the new
regulation.

All
businesses have to comply with GDPR because most of them process
personal data of its employees for salaries, benefits and social
security. Most of them have also a recruitment process or they
evaluate their employees. There
are also companies which they
store and process lots of personal data for advertising campaigns or
they process sensitivedata as the
health sector does.
Therefore, there is
personal data processing everywhere and
these businesses have to comply with the new regulation.

The
first step for compliance is to know what personal data the company
is processing because we’ll have to define and design the
processing operation of personal data as well as the processing
purpose. Once this is done, we can use
tools such as Facilita
which tell us what we have to do with personal data processing. If
we don’t have too much personal data and the risk level is low,
maybe, we only have to do some paper work and buy some tech stuff.

Workflow for GDPR compliance

However, if we have too
much personal data or sensitive data, we
should evaluate a proposal to identify potential effects on
individuals’ privacy and personal data. Therefore, we
have to know if a
basic risk assessment is enough for the company or it will be
necessary a Data Protection Impact Assessment (DPIA), which is an
exhaustive process known asprivacy
by design where projects are designed
with data protection in mind from the beginning.

If
the company doesn’t have high risk personal data processing, we’ll
have to do a basic risk assessment. This risk assessment will have to
take into account the loss of integrity, availability and
confidentiality for personal data
protection and it will also have to take into account rights and
freedoms of individuals. However, this risk
assessment shouldn’t be a exhaustive risk assessment but a
essential one where only critical
risks should be considered such as unauthorized access, unintentional
loss or lack of procedures.

Finally,
if the company has high risk personal data processing, we’ll have
to do an exhaustive risk assessment through the DPIA process
where we evaluate impact and the threat
occurrence probability of risks to know the level of risk of each
personal data processing activity. I know, it is a demanding work but
mandatory for GDPR compliance.